IP Intelligence module — 5-method VPN detection, Tor exit node matching, residential proxy identification, and GeoIP
tracio.ai's IP Intelligence suite analyzes every visitor's IP address to detect VPN usage, proxy connections, Tor exit nodes, residential proxy networks, and relay services. It also provides city-level geolocation with timezone cross-validation and IP reputation scoring based on historical abuse data. All IP intelligence signals are computed server-side with sub-5ms latency and are included in every identification response.
IP intelligence is particularly valuable because it operates independently of browser signals. Even if a visitor completely blocks JavaScript or uses an anti-fingerprinting browser, IP-based detection still works because it analyzes the network layer rather than the browser environment.
| Capability | Product Key | Detection Method | Accuracy |
|---|---|---|---|
| VPN Detection | vpn | 4 methods: timezone mismatch, ASN matching, relay detection, TURN probe | Very High |
| Proxy Detection | proxy | HTTP proxy headers, datacenter IP matching, behavioral analysis | High |
| Tor Detection | tor | Real-time matching against known exit node list (updated hourly) | Very High |
| Residential Proxy | residentialProxy | Velocity analysis, P2P network signatures, residential IP anomalies | High |
| Relay Detection | relay | iCloud Private Relay and Cloudflare WARP IP range matching | Very High |
| IP Geolocation | ipLocation | MaxMind GeoIP2 with city-level accuracy and timezone cross-validation | High |
| IP Blocklist | ipBlocklist | Aggregated threat intelligence feeds (spam, attacks, malware C2) | High |
| IP Reputation | ipReputation | Historical abuse pattern scoring across multiple data sources | High |
VPN detection uses four independent detection methods. Each method is evaluated independently, and the results are combined to produce a confidence level. When multiple methods agree, the confidence is "high". A single strong indicator produces "medium" confidence, and minor discrepancies that could be legitimate (such as a user near a timezone boundary) produce "low" confidence.
| Method | How It Works | Accuracy | Limitations |
|---|---|---|---|
| Timezone Mismatch | Compares the device timezone (from Intl.DateTimeFormat) with the GeoIP timezone for the connecting IP. Mismatches indicate the traffic is routed through a different region. | High | False positives for travelers, users near timezone boundaries, and users who manually changed their system timezone. |
| Public VPN ASN | Matches the connecting IP against a curated database of 42+ known VPN provider Autonomous System Numbers. Covers NordVPN, ExpressVPN, Mullvad, ProtonVPN, Surfshark, PIA, CyberGhost, Windscribe, and many others. | Very High | Does not detect private VPN servers or small/new providers not yet in the database. |
| Relay Detection | Identifies anonymizing relay services by matching IP ranges published by Apple (iCloud Private Relay) and Cloudflare (WARP). These services mask the user's real IP while maintaining performance. | Very High | Relay services publish their IP ranges, so detection is definitive. However, new ranges may have a short delay before being added. |
| TURN Probe | Uses a WebRTC TURN server to discover the visitor's real IP address. The browser establishes a TURN connection that reveals the true network interface IP, which is compared against the HTTP request IP. A mismatch confirms VPN/proxy usage. | Very High | Requires a configured TURN server. Some VPNs route WebRTC traffic through the tunnel, in which case the probe shows the same VPN IP. |
// VPN detected with high confidence{ "vpn": { "data": { "result": true, "confidence": "high", "originTimezone": "America/New_York", "methods": { "timezoneMismatch": true, "publicVPN": true, "osMismatch": false, "relay": false } } }}// No VPN detected{ "vpn": { "data": { "result": false, "confidence": "high", "originTimezone": "Europe/Prague", "methods": { "timezoneMismatch": false, "publicVPN": false, "osMismatch": false, "relay": false } } }}tracio.ai detects multiple proxy types using a combination of IP analysis, header inspection, and behavioral patterns. Proxy detection is returned as a separate product from VPN detection because the use cases and risk profiles differ. Datacenter proxies are commonly used in automated attacks, while residential proxies are often used for more sophisticated fraud that is harder to detect.
| Proxy Type | Detection Method | Risk Level | Common Use |
|---|---|---|---|
| Datacenter Proxy | IP belongs to a known hosting or cloud provider ASN (AWS, GCP, Azure, DigitalOcean, OVH, Hetzner, etc.) | High | Web scraping, credential stuffing, automated attacks |
| Residential Proxy | Velocity analysis: abnormally high number of distinct visitor IDs from a single residential IP address over time | Very High | Sophisticated fraud, sneaker bots, account creation farms |
| HTTP Proxy | Detection of proxy-related HTTP headers: X-Forwarded-For, Via, X-Proxy-ID, and similar headers that indicate traffic passed through a proxy | Medium | Corporate proxies, caching proxies, transparent proxies |
| SOCKS Proxy | Behavioral analysis combined with datacenter IP matching. SOCKS proxies do not modify HTTP headers, so detection relies on IP classification and traffic patterns. | Medium-High | Anonymization, circumventing geo-restrictions |
Residential proxies are the hardest proxy type to detect because they use real residential IP addresses. tracio.ai's detection approach uses velocity analysis: when a residential IP address is used by an abnormally high number of distinct visitor fingerprints (e.g., 20+ unique visitors from the same home IP in 24 hours), it strongly suggests the IP is part of a proxy network. The detection also considers P2P proxy network signatures and known residential proxy provider IP pools.
{ "proxy": { "data": { "result": true, "confidence": "high" } }, "residentialProxy": { "data": { "result": true } }}tracio.ai maintains a continuously updated list of known Tor exit node IP addresses, sourced from the Tor Project's directory authorities. The list is refreshed hourly to account for the dynamic nature of the Tor network where nodes come and go frequently. When a visitor's IP matches a known exit node, the tor.result is set to true.
Tor detection is supplemented by browser-level signals when the visitor is using Tor Browser specifically (as opposed to routing other browsers through Tor). Tor Browser has a distinctive fingerprint profile that includes blocked canvas rendering, blocked WebGL, UTC timezone regardless of the user's actual location, a limited and standardized font set, and rounded screen dimensions to prevent screen size-based tracking.
City-level geolocation is derived from the visitor's IP address using MaxMind GeoIP2 databases. The geolocation data includes coordinates, timezone, accuracy radius, city, country, continent, and administrative subdivisions. The accuracy radius indicates how confident the geolocation estimate is, typically 5-50km for urban areas and 100-500km for rural or VPN-obfuscated connections.
{ "ipLocation": { "accuracyRadius": 20, "latitude": 50.05, "longitude": 14.4, "timezone": "Europe/Prague", "postalCode": "110 00", "city": { "name": "Prague" }, "country": { "code": "CZ", "name": "Czechia" }, "continent": { "code": "EU", "name": "Europe" }, "subdivisions": [ { "isoCode": "10", "name": "Hlavni mesto Praha" } ] }}| Field | Type | Description |
|---|---|---|
accuracyRadius | number | Estimated accuracy in kilometers. Lower values indicate higher precision. |
latitude | number | Approximate latitude of the IP location (-90 to 90) |
longitude | number | Approximate longitude of the IP location (-180 to 180) |
timezone | string | IANA timezone identifier (e.g., "Europe/Prague") |
city.name | string | City name in English |
country.code | string | ISO 3166-1 alpha-2 country code |
country.name | string | Full country name in English |
continent.code | string | Continent code (AF, AN, AS, EU, NA, OC, SA) |
subdivisions | array | Administrative divisions (state, province, region) |
tracio.ai cross-validates the GeoIP-derived timezone against the browser's reported timezone from Intl.DateTimeFormat().resolvedOptions().timeZone. When these two timezones differ, it is a strong indicator of VPN usage, geographic spoofing, or a manually configured system timezone. This cross-validation is one of the four methods used in VPN detection.
The IP blocklist checks visitor IPs against aggregated threat intelligence feeds covering known spam sources, attack origins, malware command-and-control servers, and credential stuffing infrastructure. The blocklist database is updated daily and covers millions of known-bad IP addresses from multiple commercial and open-source threat intelligence providers.
{ "ipBlocklist": { "data": { "result": true, "details": { "emailSpam": false, "attackSource": true } } }}const event = await fetchEvent(requestId);const { ipLocation } = event.products.identification.data;const vpn = event.products.vpn.data;const tor = event.products.tor.data;// Block Tor and high-confidence VPN for regulated servicesif (tor.result) { return res.status(403).json({ error: 'Tor access not permitted' });}if (vpn.result && vpn.confidence === 'high') { return res.status(403).json({ error: 'VPN access not permitted for this service' });}// Enforce geographic restrictionsconst allowedCountries = ['US', 'CA', 'GB', 'DE', 'FR'];if (!allowedCountries.includes(ipLocation.country.code)) { return res.status(403).json({ error: 'Service not available in your region', country: ipLocation.country.name, });}async function checkImpossibleTravel(visitorId: string, currentEvent: FPEvent) { const history = await client.getVisitorHistory(visitorId, { limit: 5 }); const currentLocation = currentEvent.products.identification.data.ipLocation; for (const visit of history.visits) { const timeDiffHours = (Date.now() - new Date(visit.timestamp).getTime()) / 3600000; const prevLocation = visit.ipLocation; // Calculate approximate distance (Haversine formula) const distanceKm = haversineDistance( currentLocation.latitude, currentLocation.longitude, prevLocation.latitude, prevLocation.longitude, ); // Max realistic travel speed: 900 km/h (commercial flight) const maxPossibleDistance = timeDiffHours * 900; if (distanceKm > maxPossibleDistance && distanceKm > 500) { return { impossible: true, from: prevLocation.city.name, to: currentLocation.city.name, distanceKm: Math.round(distanceKm), timeHours: Math.round(timeDiffHours * 10) / 10, }; } } return { impossible: false };}function assessIPRisk(event: FPEvent): { riskLevel: string; reasons: string[];} { const reasons: string[] = []; let score = 0; const vpn = event.products.vpn.data; const proxy = event.products.proxy.data; const tor = event.products.tor.data; if (tor.result) { score += 30; reasons.push('Tor exit node detected'); } if (vpn.result && vpn.confidence === 'high') { score += 20; reasons.push('VPN detected (high confidence)'); } if (proxy.result && proxy.confidence === 'high') { score += 25; reasons.push('Proxy detected'); } let riskLevel = 'low'; if (score >= 40) riskLevel = 'critical'; else if (score >= 25) riskLevel = 'high'; else if (score >= 10) riskLevel = 'medium'; return { riskLevel, reasons };}